nist sp 800-37, revision 1 - security conference, … tier 3 information system (environment of...
TRANSCRIPT
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
NIST SP 800-37, Revision 1Applying Risk Management to Information Systems
(Transforming the Certification and Accreditation Process)
Annual Computer Security Applications Conference
December 10, 2009
Dr. Ron Ross
Computer Security Division
Information Technology Laboratory
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
A Unified FrameworkFor Information Security
The Generalized Model
Common
Information
Security
Requirements
Unique
Information
Security
Requirements
The “Delta”
National security and non national security information systems
Foundational Set of Information Security Standards and Guidance
• Standardized risk management process
• Standardized security categorization (criticality/sensitivity)
• Standardized security controls (safeguards/countermeasures)
• Standardized security assessment procedures
• Standardized security authorization process
Intelligence
Community
Department
of Defense
Federal Civil
Agencies
Private Sector
State and Local Govt
3
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Enterprise-Wide Risk Management
4
TIER 3
Information System(Environment of Operation)
TIER 2
Mission / Business Process(Information Assets and Information Flows)
TIER 1
Organization(Governance)
STRATEGIC RISK
FOCUS
TACTICAL RISK
FOCUS
Multi-tiered Risk Management Approach
Implemented by the Risk Executive Function
Enterprise Architecture and SDLC Focus
Flexible and Agile Implementation
NISTSP 800-39
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Risk Management Hierarchy
NISTSP 800-39
Risk Management Strategy
TIER 3
Information System
TIER 2
Mission / Business Process
TIER 1Organization
Risk Executive Function(Oversight and Governance)
Risk Assessment Methodologies
Risk Mitigation Approaches
Risk Tolerance
Risk Monitoring Approaches
Linkage to ISO/IEC 27001
5
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Risk Management Hierarchy
NISTSP 800-39
Risk Management Strategy
TIER 3
Information System
TIER 2
Mission / Business Process
TIER 1Organization
Mission / Business Processes
Information Flows
Information Categorization
Information Protection Strategy
Information Security Requirements
Linkage to Enterprise Architecture
6
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Risk Management Hierarchy
NISTSP 800-37
TIER 3
Information System
TIER 2
Mission / Business Process
TIER 1Organization
Linkage to SDLC
Information System Categorization
Selection of Security Controls
Security Control Allocationand Implementation
Security Control Assessment
Risk Acceptance
Continuous Monitoring
Risk Management Framework
7
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Risk Management Framework
Security Life Cycle
Determine security control effectiveness(i.e., controls implemented correctly,
operating as intended, meeting security requirements for information system).
ASSESSSecurity Controls
Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business.
CATEGORIZE Information System
Starting Point
Continuously track changes to the information system that may affect
security controls and reassess control effectiveness.
MONITORSecurity Controls
AUTHORIZE Information System
Determine risk to organizational operations and assets, individuals,
other organizations, and the Nation;if acceptable, authorize operation.
Implement security controls within enterprise architecture using sound
systems engineering practices; apply security configuration settings.
IMPLEMENT Security Controls
SELECT Security Controls
Select baseline security controls; apply tailoring guidance and
supplement controls as needed based on risk assessment.
8
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Common Risk Management Process
NIST Special Publication 800-37, Revision 1
Guide for Applying the Risk Management Framework to Federal Information
Systems: A Security Life Cycle Approach
Developed by Joint Task Force Transformation Initiative Working Group Office of the Director of National Intelligence
Department of Defense
Committee on National Security Systems
National Institute of Standards and Technology
Final Public Draft (November 2009)
9
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Purpose
Provide guidelines for applying the Risk Management Framework to federal information systems—
To ensure that managing risk from information systems is consistent with mission/business objectives and the overall risk strategy established by the senior leadership through the risk executive (function).
To ensure that information security requirements, including necessary security controls, are integrated into the organization’s enterprise architecture and system development life cycle processes.
To support consistent, well-informed, and ongoing security authorization decisions (through continuous monitoring), transparency of security and risk-related information, and reciprocity of authorization results.
To achieve more secure information and information systems through the implementation of appropriate risk mitigation strategies.
10
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Applicability
Federal information systems other than those systems designated as national security systems as defined in 44 U.S.C., Section 3542.
National security systems with the approval of federal officials exercising policy authority over such systems.
State, local, and tribal governments, as well as private sector organizations are encouraged to consider using these guidelines, as appropriate.
11
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Target Audience
Individuals with mission/business ownership responsibilities or fiduciary responsibilities.
Individuals with information system development and integration responsibilities.
Individuals with information system and/or security management/oversight responsibilities.
Individuals with information system and security control assessment and monitoring responsibilities.
Individuals with information security implementation and operational responsibilities.
12
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Characteristics of RMF-Based Process(1 of 3)
Promotes near real-time risk management and ongoing system authorization through the implementation of robust continuous monitoring processes.
Integrates information security more closely into the enterprise architecture and system development life cycle.
Provides equal emphasis on the security control selection, implementation, assessment, and monitoring, and the authorization of information systems.
13
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Characteristics of RMF-Based Process(2 of 3)
Links risk management processes at the information system level to risk management processes at the organization level through a risk executive (function).
Establishes responsibility and accountability for security controls deployed within organizational information systems and inherited by those systems.
14
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Characteristics of RMF-Based Process(3 of 3)
Encourages the use of automation to:
Increase consistency, effectiveness, and timeliness of security control implementation and functionality; and
Provide senior leaders the necessary information to take credible, risk-based decisions with regard to the information systems supporting their core missions and business functions.
15
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Mainstreaming Information Security
Information security requirements must be considered first order requirements and are critical to mission and business success.
An effective organization-wide information security program helps to ensure that security considerations are specifically addressed in the enterprise architecturefor the organization and are integrated early into the system development life cycle.
17
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
System Development Life Cycle(1 of 2)
RMF steps are carried out within the five phases of the SDLC.
System Initiation Phase
System Development / Acquisition Phase
System Implementation Phase
System Operations / Maintenance Phase
System Disposal Phase
Flexibility on types of SDLC models employed by the organization (e.g., spiral, waterfall, agile development).
18
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
System Development Life Cycle(2 of 2)
Integrating information security requirements into the SDLC provides the most efficient and cost-effective method for an organization to ensure that:
Cost, schedule, and performance requirements are satisfied.
Missions and business operations supported by the information system are adequately protected.
Security-related activities are carried out as early as possible and not repeated unnecessarily.
Risk management activities are not isolated or decoupled from the management processes employed to develop, implement, operate, and maintain the information system.
19
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Applying the Risk Management Framework to Information Systems
20
Risk ManagementFramework
Near Real Time Security
Status Information
Output from Automated
Support Tools
Authorization
Package
SECURITY PLAN
including updated Risk Assessment
SECURITY ASSESSMENT
REPORT
PLAN OF ACTION AND
MILESTONES
INFORMATION SYSTEM
CATEGORIZEInformation System
ASSESSSecurity Controls
AUTHORIZEInformation System
IMPLEMENTSecurity Controls
MONITORSecurity Controls
SELECTSecurity Controls
Risk Executive
(Function) Inputs
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Information System Boundaries
Define the scope of protection for information systems (i.e., what the organization agrees to protect under its direct control or within the scope of its responsibilities).
Include the people, processes, and technologies that are part of the systems supporting the organization’s missions and business processes.
Need to be established before information system security categorization and the development of security plans.
21
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Large and Complex Systems
From a centralized development, implementation, and operations perspective— The organization examines the purpose of the information system and
considers the feasibility of decomposing the complex system into more manageable components, or subsystems.
From a distributed development, implementation, and operations perspective— The organization recognizes that multiple entities, possibly operating
under different policies, may be contributing to the development, implementation, and/or operations of the subsystems that comprise the overall information system.
22
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Large and Complex Systems(Including System of Systems)
- Security plan reflects information system decomposition with security controls
assigned to each subsystem component.
- Security assessment procedures tailored for the security controls in each subsystem
component and for the combined system level.
- Security control assessment performed on each subsystem component and on
system-level controls not covered by subsystem security control assessments.
- Security authorization conducted on the information system as a whole.
ORGANIZATIONAL INFORMATION SYSTEM
DYNAMIC EXTERNAL
SUBSYSTEM
SUBSYSTEM
LAN ONESUBSYSTEM
LAN TWO
SUBSYSTEM
GUARD
SUBSYSTEM
GUARD / GATEWAY
DYNAMIC SUBSYSTEM
STATIC EXTERNAL
SUBSYSTEM
DYNAMIC SUBSYSTEM
(Sub) System Boundary
23
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Security Control Allocation
Security controls are defined to be system-specific, hybrid, or common.
Security controls are allocated to specific components of organizational information systems as system-specific, hybrid, or common controls.
Security control allocations are consistent with the organization’s enterprise architecture and information security architecture.
24
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Security Control Accountability
Strategic Risk Management
Focus
Tactical Risk Management
Focus
Top Level Risk Management
Strategy Informs
Operational Elements
Enterprise-Wide
Security
Assessment
Report
Security
Plan
Plan of Action
and Milestones
Security
Assessment
Report
Plan of Action and
MilestonesSecurity
Plan
Core Missions / Business Processes
Security Requirements
Policy Guidance
RISK EXECUTIVE FUNCTIONOrganization-wide Risk Governance and Oversight
Security
Assessment
Report
Security
Plan
Plan of Action
and Milestones
INFORMATION
SYSTEM
System-specific
Controls
On
go
ing
Au
tho
riza
tio
n D
ecis
ion
s
On
go
ing
Au
tho
riza
tio
n D
ecis
ion
s
Ongoing Authorization Decisions
RISK
MANAGEMENT
FRAMEWORK
(RMF)
COMMON CONTROLS
Security Controls Inherited by Organizational Information Systems
Hyb
rid
Co
ntr
ols
INFORMATION
SYSTEM
System-specific
Controls
Hyb
rid
Co
ntr
ols
25
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
RMF Task Structure(1 of 2)
Task Section Describes the specific RMF task within the appropriate step in the Risk
Management Framework.
Primary Responsibility Section Lists the individual or group within the organization having primary responsibility for
executing the RMF task.
Supporting Roles Section Lists the supporting roles within the organization that may be necessary to help the
individual or group with primary responsibility for executing the RMF task.
SDLC Phase Section Lists the particular phase of the SDLC when the RMF task is typically executed.
27
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
RMF Task Structure(2 of 2)
Supplemental Guidance Section Provides supplemental guidance for executing the RMF task including additional
information from relevant supporting security policies, instructions, standards, and guidelines.
References Section Provides general references to NIST security standards and guidelines that should
be consulted for additional information with regard to executing the RMF task.
Provides specific national security system references to CNSS policies and instructions that should be consulted for additional information with regard to executing the RMF task when the general references are either insufficient or inappropriate for national security application.
28
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
RMF Step 1 Tasks
Security Categorization
Task 1-1: Categorize the information system and document the results of the security categorization in the security plan.
Information System Description
Task 1-2: Describe the information system (including system boundary) and document the description in the security plan.
Information System Registration
Task 1-3: Register the information system with appropriate organizational program/management offices.
RMF Step 1: Categorize Information System
29
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Milestone Checkpoint #1
Has the organization completed a security categorization of the information
system including the information to be processed, stored, and transmitted by
the system?
Are the results of the security categorization process for the information
system consistent with the organization’s enterprise architecture and
commitment to protecting organizational mission/business processes?
Do the results of the security categorization process reflect the organization’s
risk management strategy?
Has the organization adequately described the characteristics of the
information system?
Has the organization registered the information system for purposes of
management, accountability, and oversight?
30
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
RMF Step 2 Tasks(1 of 2)
Security Control Selection
Task 2-1: Select the security controls for the information system and document the controls in the security plan.
Common Control Identification
Task 2-2: Identify the security controls that are provided by the organization as common controls for organizational information systems and document the controls in a security plan (or equivalent document).
RMF Step 2: Select Security Controls
31
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
RMF Step 2 Tasks(2 of 2)
Monitoring Strategy
Task 2-3: Develop a strategy for the continuous monitoring of security control effectiveness and any proposed/actual changes to the information system and its environment of operation.
Security Plan Approval
Task 2-4: Review and approve the security plan.
RMF Step 2: Select Security Controls
32
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Milestone Checkpoint #2(1 of 2)
Has the organization allocated all security controls to the information system
as system-specific, hybrid, or common controls?
Has the organization identified authorizing officials for the information
system and all common controls inherited by the system?
Has the organization tailored and supplemented the baseline security
controls to ensure that the controls, if implemented, adequately mitigate risks
to organizational operations and assets, individuals, other organizations, and
the Nation?
Has the organization addressed minimum assurance requirements for the
security controls employed within and inherited by the information system?
33
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Milestone Checkpoint #2(2 of 2)
Has the organization approved the security control baseline for the common
controls inherited by the information system?
Has the organization supplemented the common controls with system-
specific or hybrid controls when the security control baselines of the common
controls are less than those of the information system inheriting the controls?
Has the organization developed a continuous monitoring strategy for the
information system that reflects the organizational risk management strategy
and commitment to protecting critical missions and business functions?
Have appropriate organizational officials approved security plans containing
system-specific, hybrid, and common controls?
34
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
RMF Step 3 Tasks
Security Control Implementation
Task 3-1: Implement the security controls specified in the security plan.
Security Control Documentation
Task 3-2: Document the security control implementation, as appropriate, in the security plan, providing a functional description of the control implementation (including planned inputs, expected behavior, and expected outputs).
RMF Step 3: Implement Security Controls
35
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Milestone Checkpoint #3(1 of 2)
Has the organization allocated security controls as system-specific, hybrid, or
common controls consistent with the enterprise architecture and information
security architecture?
Has the organization demonstrated the use of sound information system and
security engineering methodologies in integrating information technology
products into the information system and in implementing the security controls
contained in the security plan?
Has the organization documented how common controls inherited by
organizational information systems have been implemented?
36
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Milestone Checkpoint #3(2 of 2)
Has the organization documented how system-specific and hybrid security
controls have been implemented within the information system taking into
account specific technologies and platform dependencies?
Has the organization taken into account the minimum assurance
requirements when implementing security controls?
37
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
RMF Step 4 Tasks
Assessment Preparation
Task 4-1: Develop, review, and approve a plan to assess the security controls.
Security Control Assessment
Task 4-2: Assess the security controls in accordance with the assessment procedures defined in the security assessment plan.
Security Assessment Report
Task 4-3: Prepare the security assessment report documenting the issues, findings, and recommendations from the security control assessment.
RMF Step 4: Assess Security Controls
38
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Milestone Checkpoint #4(1 of 2)
Has the organization developed a comprehensive plan to assess the security
controls employed within or inherited by the information system?
Was the assessment plan reviewed and approved by appropriate
organizational officials?
Has the organization considered the appropriate level of assessor
independence for the security control assessment?
Has the organization provided all of the essential supporting assessment-
related materials needed by the assessor(s) to conduct an effective security
control assessment?
39
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Milestone Checkpoint #4(2 of 2)
Did the assessor(s) complete the security control assessment in
accordance with the stated assessment plan?
Did the organization receive the completed security assessment report with
appropriate findings and recommendations from the assessor(s)?
40
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
RMF Step 5 Tasks(1 of 2)
Remediation Actions
Task 5-1: Conduct initial remediation actions based on the findings and recommendations of the security assessment report.
Plan of Action and Milestones
Task 5-2: Prepare the plan of action and milestones based on the findings and recommendations of the security assessment report excluding any remediation actions taken.
Security Authorization Package
Task 5-3: Assemble the security authorization package and submit the package to the authorizing official for adjudication.
RMF Step 5: Authorize Information System
41
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
RMF Step 5 Tasks(2 of 2)
Risk Determination
Task 5-4: Determine the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation.
Risk Acceptance
Task 5-5: Determine if the risk to organizational operations, organizational assets, individuals, other organizations, or the Nation is acceptable.
RMF Step 5: Authorize Information System
42
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Milestone Checkpoint #5(1 of 2)
Did the organization take the necessary remediation actions to address the
most important weaknesses and deficiencies in the information system and its
environment of operation based on the findings and recommendations in the
security assessment report?
Did the organization update appropriate security plans based on the findings
and recommendations in the security assessment report and any subsequent
changes to the information system and its environment of operation?
Did the organization develop a plan of action and milestones reflecting
organizational priorities for addressing the remaining weaknesses and
deficiencies in the information system and its environment of operation?
43
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Milestone Checkpoint #5(2 of 2)
Did the final risk determination and risk acceptance by the authorizing
official reflect the risk management strategy developed by the organization
and conveyed by the risk executive (function)?
• Was the authorization decision conveyed to appropriate organizational
personnel including information system owners and common control
providers?
44
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
RMF Step 6 Tasks(1 of 3)
Information System and Environment Changes
Task 6-1: Determine the security impact of proposed or actual changes to the information system and its environment of operation.
Ongoing Security Control Assessments
Task 6-2: Assess a selected subset of the technical, management, and operational security controls employed within and inherited by the information system in accordance with the organization-defined monitoring strategy.
Ongoing Remediation Actions
Task 6-3: Conduct selected remediation actions based on the results of ongoing monitoring activities and the outstanding items in the plan of action and milestones.
RMF Step 6: Monitor Security Controls
45
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
RMF Step 6 Tasks(2 of 3)
Critical Updates
Task 6-4: Update the security plan, security assessment report, and plan of action and milestones based on the results of the continuous monitoring process.
Security Status Reporting
Task 6-5: Report the security status of the information system (including the effectiveness of security controls employed within and inherited by the system), to appropriate organizational officials on an ongoing basis in accordance with the organization-defined monitoring strategy.
RMF Step 6: Monitor Security Controls
46
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
RMF Step 6 Tasks(3 of 3)
Ongoing Risk Determination and Acceptance
Task 6-6: Review the reported security status of the information system (including the effectiveness of security controls employed within and inherited by the system) on an ongoing basis in accordance with the monitoring strategy to determine whether the risk to organizational operations, organizational assets, individuals, other organizations, or the Nation remains acceptable.
Information System Removal and Decommissioning
Task 6-7: Implement an information system decommissioning strategy, when needed, which executes required actions when a system is removed from service.
RMF Step 6: Monitor Security Controls
47
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Milestone Checkpoint #6(1 of 2)
Is the organization effectively monitoring changes to the information system
and its environment of operation including the effectiveness of deployed
security controls in accordance with the continuous monitoring strategy?
Is the organization effectively analyzing the security impacts of identified
changes to the information system and its environment of operation?
Is the organization conducting ongoing assessments of security controls in
accordance with the monitoring strategy?
Is the organization taking the necessary remediation actions on an ongoing
basis to address identified weaknesses and deficiencies in the information
system and its environment of operation?
48
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Milestone Checkpoint #6(2 of 2)
Does the organization have an effective process in place to report the
security status of the information system and its environment of operation to
the authorizing officials and other designated senior leaders within the
organization on an ongoing basis?
Is the organization updating key risk management documents based on
ongoing monitoring activities?
Are authorizing officials conducting ongoing security authorizations by
employing effective continuous monitoring activities and communicating
updated risk determination and acceptance decisions to information system
owners and common control providers?
49
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Supporting Appendices
References
Glossary
Acronyms
Roles and Responsibilities
Summary of RMF Tasks
Security Authorization
Continuous Monitoring
Operational Scenarios
Security Controls in External Environments
51
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Recognition of Authorization Results
Determining risk to the organization’s
operations and assets, individuals, other
organizations, and the Nation; and the
acceptability of such risk.
The objective is to achieve transparency of prospective partner’s information security
authorization processes…establishing trust relationships based on common, shared
risk management principles.
Organization One
INFORMATION
SYSTEM
Plan of Action and Milestones
Security Assessment Report
Security Plan
Business / Mission
Information Flow
Security Authorization
Information
Plan of Action and Milestones
Security Assessment Report
Security Plan
Organization Two
INFORMATION
SYSTEM
Determining risk to the organization’s
operations and assets, individuals, other
organizations, and the Nation; and the
acceptability of such risk.
52
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Milestone Schedule
NIST Special Publication 800-37, Revision 1Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
Initial Public Draft: August 2008
Final Public Draft: November 2009
Final Publication: February 2010
Download Publication from NIST Web Sitehttp://csrc.nist.gov/publications/PubsDrafts.html
Comments (November 17 through December 31, 2009)
53
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Contact Information
100 Bureau Drive Mailstop 8930
Gaithersburg, MD USA 20899-8930
Project Leader Administrative Support
Dr. Ron Ross Peggy Himes
(301) 975-5390 (301) 975-2489
[email protected] [email protected]
Senior Information Security Researchers and Technical Support
Marianne Swanson Kelley Dempsey
(301) 975-3293 (301) 975-2827
[email protected] [email protected]
Pat Toth Arnold Johnson
(301) 975-5140 (301) 975-3247
[email protected] [email protected]
Web: csrc.nist.gov/sec-cert Comments: [email protected]
54